Hi,
In network offering if you select ZONE wide source NAT then source rules are
not configured by cloudstack. Admin/User has to manually select source NAT ip
and configure the source NAT rules.
Ok, thanks for the precision.
When you configure firewall rules, firewall filter rules on srx get configured.
Please try configuring tcp/udp rules. For ICMP there is bug and the fix will be
committed soon.
I just tried, and it's not working. First, when I acquire another IP,
the new IP is not even configured on the SRX. So even if I create
firewall rules, they are not created/applied. Anyway, I tried using
TCP. I looked in the logs, and CloudStack won't even trigger the SRX code.
Thanks!
Thanks,
Jayapal
On 21-May-2013, at 11:48 PM, Francois Gaudreault <fgaudrea...@cloudops.com>
wrote:
Jayapal,
I added the SRX now, I can get the basic stuff working (private interface
created), but it looks like the source nat rules are not being created. Also,
when I create firewall rules, they are not being created on the SRX. However,
I can get the destination nat (port-forwarding) working. Any ideas?
Thanks!
On 2013-05-14 1:15 PM, Jayapal Reddy Uradi wrote:
For private interface just enable the vlan tagging. when guest network is
created cloudstack will configure the interface with vlan and ip.
Minimal config is.
1. set management interface with ip and use this ip for while add ing srx into
cloudstack.
2. enable vlan tagging on private interface
3. set the cloudstack public vlan to the srx public interface.
4. add rules to allow traffic from trust to untrust zone.
5. set appropriate routes for the trust and untrust subnets
By default guest traffic trust (guest) to untrust (public) is blocked on latest
master. Add egress rules once the guest network is created.
Let me know if see any issues.
Thanks,
Jayapal
On 14-May-2013, at 10:33 PM, Francois Gaudreault <fgaudrea...@cloudops.com>
wrote:
Hi Jayapal,
To add SRX device into cloudstack, you need to preconfigure the srx. SRX needs
3 interfaces to add into cloudstack
1. management interface
2. private/guest network interface
3.public interace.
Ok. It confirms what I understood :)
Please find the below config. It is bit old cloudstak config on SRX, but it
will give you idea.
You need to update firewall filter trust/untrust.
Which parts actually need to be there for the per-previsioning? I guess some
part of that config example has been done by CloudStack... (ie. Do we need to
create guest vlan interfaces on the private interface right at the beginning?)
In other words, what's the minimal config needed before adding the SRX to CS?
Thanks!
set version 10.4R6.5
set system time-zone Asia/Calcutta
set system root-authentication encrypted-password
"$1$ucpHjRfH$dNkhOuzKXJxrpAtewvTu.1"
set system name-server 208.67.222.222
set system name-server 208.67.220.220
set system name-server 10.147.28.6
set system name-server 4.2.2.2
set system services ssh
set system services telnet
set system services xnm-clear-text
set system services web-management http interface vlan.0
set system services web-management http interface fe-0/0/0.0
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.0
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces fe-0/0/0 description "Management Interface"
set interfaces fe-0/0/0 unit 0 family inet address 10.147.40.3/23
set interfaces fe-0/0/1 description "Private network"
set interfaces fe-0/0/1 vlan-tagging
set interfaces fe-0/0/1 unit 929 vlan-id 929
set interfaces fe-0/0/1 unit 929 family inet address 10.0.64.1/20
set interfaces fe-0/0/1 unit 1122 vlan-id 1122
set interfaces fe-0/0/1 unit 1122 family inet address 10.0.32.1/20
set interfaces fe-0/0/4 description "Public Network"
set interfaces fe-0/0/4 vlan-tagging
set interfaces fe-0/0/4 unit 52 vlan-id 52
set interfaces fe-0/0/4 unit 52 family inet address 10.147.52.3/24
set interfaces fe-0/0/4 unit 52 family inet address 10.147.52.19/24
set interfaces vlan unit 52 family inet
set routing-options static route 10.147.40.0/23 next-hop 10.147.40.1
set routing-options static route 10.147.40.0/23 install
set routing-options static route 10.146.0.0/24 next-hop 10.147.40.1
set routing-options static route 10.146.0.0/24 install
set routing-options static route 10.147.52.0/24 next-hop 10.147.52.1
set routing-options static route 10.147.52.0/24 install
set routing-options static route 10.147.39.0/24 next-hop 10.147.40.1
set routing-options static route 10.147.29.0/24 next-hop 10.147.40.1
set routing-options static route 0.0.0.0/0 next-hop 10.147.52.1
set routing-options static route 0.0.0.0/0 install
set routing-options static route 10.147.28.6/32 next-hop 10.147.52.1
set routing-options static route 10.147.28.6/32 install
set routing-options static route 10.252.248.0/24 next-hop 10.147.52.1
set protocols stp
set security nat source pool 10-147-52-113 address 10.147.52.113/32
set security nat source rule-set trust from zone trust
set security nat source rule-set trust to zone untrust
set security nat source rule-set trust rule 10-147-52-113-10-0-32-0-20 match
source-address 10.0.32.0/20
set security nat source rule-set trust rule 10-147-52-113-10-0-32-0-20 then
source-nat pool 10-147-52-113
set security nat proxy-arp interface fe-0/0/4.52 address 10.147.52.116/32
set security nat proxy-arp interface fe-0/0/4.52 address 10.147.52.113/32
set security zones security-zone trust address-book address 10-0-78-206
10.0.78.206/32
set security zones security-zone trust address-book address 10-0-33-27
10.0.33.27/32
set security zones security-zone trust address-book address 10-0-35-239
10.0.35.239/32
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust interfaces fe-0/0/1.929
set security zones security-zone trust interfaces fe-0/0/1.1122
set security zones security-zone untrust host-inbound-traffic system-services
ssh
set security zones security-zone untrust host-inbound-traffic system-services
ping
set security zones security-zone untrust interfaces fe-0/0/4.52
set security zones security-zone MGMT host-inbound-traffic system-services all
set security zones security-zone MGMT interfaces fe-0/0/0.0
set security policies from-zone trust to-zone untrust policy trust-to-untrust
match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust
match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust
match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust
then permit
set security policies from-zone trust to-zone trust policy accept-all match
source-address any
set security policies from-zone trust to-zone trust policy accept-all match
destination-address any
set security policies from-zone trust to-zone trust policy accept-all match
application any
set security policies from-zone trust to-zone trust policy accept-all then
permit
set security policies from-zone MGMT to-zone trust policy MGMT-to-trust match
source-address any
set security policies from-zone MGMT to-zone trust policy MGMT-to-trust match
destination-address any
set security policies from-zone MGMT to-zone trust policy MGMT-to-trust match
application any
set security policies from-zone MGMT to-zone trust policy MGMT-to-trust then
permit
set security policies from-zone MGMT to-zone MGMT policy accept-mgmt match
source-address any
set security policies from-zone MGMT to-zone MGMT policy accept-mgmt match
destination-address any
set security policies from-zone MGMT to-zone MGMT policy accept-mgmt match
application any
set security policies from-zone MGMT to-zone MGMT policy accept-mgmt then permit
set firewall filter untrust term 10-147-52-116 from destination-address
10.147.52.116/32
set firewall filter untrust term 10-147-52-116 then count 10-147-52-116
set firewall filter untrust term 10-147-52-116 then accept
set firewall filter untrust term 10-147-52-113 from destination-address
10.147.52.113/32
set firewall filter untrust term 10-147-52-113 then count 10-147-52-113
set firewall filter untrust term 10-147-52-113 then accept
set firewall filter trust term 10-147-52-113 from source-address 10.0.32.0/20
set firewall filter trust term 10-147-52-113 then count 10-147-52-113
set firewall filter trust term 10-147-52-113 then accept
set applications application tcp-22-22 protocol tcp
set applications application tcp-22-22 destination-port 22
set vlans test vlan-id 52
set vlans test l3-interface vlan.52
Thanks,
Jayapal
On 14-May-2013, at 7:36 PM, Francois Gaudreault <fgaudrea...@cloudops.com>
wrote:
Hi,
I saw in the wiki there is a page for SRX configuration to integrate with
CloudStack. However, the steps are not really clear, and the example config
link is kinda broken. Does someone have a copy of this example config
somewhere?
Thanks!
--
Francois Gaudreault
Architecte de Solution Cloud | Cloud Solutions Architect
fgaudrea...@cloudops.com
514-629-6775
- - -
CloudOps
420 rue Guy
Montréal QC H3J 1S6
www.cloudops.com
@CloudOps_
--
Francois Gaudreault
Architecte de Solution Cloud | Cloud Solutions Architect
fgaudrea...@cloudops.com
514-629-6775
- - -
CloudOps
420 rue Guy
Montréal QC H3J 1S6
www.cloudops.com
@CloudOps_
--
Francois Gaudreault
Architecte de Solution Cloud | Cloud Solutions Architect
fgaudrea...@cloudops.com
514-629-6775
- - -
CloudOps
420 rue Guy
Montréal QC H3J 1S6
www.cloudops.com
@CloudOps_
--
Francois Gaudreault
Architecte de Solution Cloud | Cloud Solutions Architect
fgaudrea...@cloudops.com
514-629-6775
- - -
CloudOps
420 rue Guy
Montréal QC H3J 1S6
www.cloudops.com
@CloudOps_
